none
Publishing of Windows 2016 Server RemoteApp and automatic delivery of icons to the Start Menu doens't work

    Question

  • I'm trying to setup a lab with a VM hosting all the roles for Windows 2016 Server Remote Desktop Services (CB, SH, WA) to publish few apps to be delivered to Windows 10 Professional Clients.

    All machines are joined to a domain. There is an Active Directory Certification Autority installed in the domain who issued trusted certificates for all the roles of the RDS server. The certificate issued has proper Subject Name and Subject Alternate Names.

    The _msradc DNS records (TXT type) point to the web feed of the published apps: https[omissis]/feed

    A Group Policy Object provide the address of the web feed to the clients: https[omissis]webfeed.aspx

    Indeed I checked in the registry o the client machine and under HKCU\Software\Policies\Microsoft\Workspaces there is the proper value "DefaultConnectionURL". The key HKCU\Software\Microsoft\Workspaces\Feeds is empty.

    But in the Start Menu there is no RemoteApp.

    If I go through the Control Panel, Manually Login to RemoteApp & Desktop, and I add input something@lan....biz I'm asked for credentials.

    This is a bit surprising because:

    1. SSO is not effective at this level?
    2. how the RemoteApp can be delivered to my Start Menu automagically if the the list of those published RemoteApp (the web feed) is not accessible without prior authentication?

    Because the list of RemoteApp is customized per-user it is logical that authentication is required to get this list. So I suspect there is some setting/policy to be applied so that credentials of currently logged on users are passed automatically to IIS and RDS. I hope that solving this solve also the problem of missing apps in the Start Menu.


    Thursday, November 09, 2017 6:26 PM

Answers

  • Hi,

    I think I got a result. To summarize:

    • Windows 10 Pro v1709 seems mandatory for RemoteApp publishing through WebFeed works properly; it's very disappointing that an update is not available for previous versions of Windows 10 considering the fact WebFeed publishing is the official way of publishing RemoteApp;
    • in my case the update to v1709 wasn't enough; but at least some error message appeared at the event log; after reinstalling the RDWA role, things gone better;
    • despite what written above, the membership of RDWA server to Local Intranet Zone of Internet Explorer seems not necessary for SSO;
    • but it's mandatory to add "TERMSRV/*.lan.mydomain.com" to SPN list allowed for default credential passing through CredSSP;
    • it's also advisable to add the thumbprint of the certificate used to sign .rdp files to the proper policy.

    Monday, November 13, 2017 9:48 AM

All replies

  • Hi,

    1. Are you using Windows 10 Pro 1709 ?  If not, please update to it and test since there is a bug with couple of previous versions that can prevent RemoteApp and Desktop Connections (RADC) from working properly.

    2. On the client, please check the RADC log for related warnings/errors.  This can be found in Event Viewer\ Applications and Services Logs\ Microsoft\ Windows\ RemoteApp and Desktop Connections\  

    Please post Event id, Source, and text of related event(s).

    Thanks.

    -TP

    Thursday, November 09, 2017 8:41 PM
    Moderator
  • Hi, thanks for your reply.

    At present I'm using Windows 10 Pro 1703 Build 15063.483 and I'm not sure if I can update right now; i'll check next days.

    About the event log (Admin subset) I don't see anything suspect. There is no event related to "automatic discovery" of RemoteApp connections, succeded or failed. Only events I see are for example

    - ID 1022 and ID 1019 (Info) when manual search of RemoteApp connections providing an email address as a hint succeed

    - ID 1020 (Info) when I remove manually added RemoteApp connections

    - ID 1000 (Error) when I dismiss the authentication dialog that popup when I start manual search

    Thanks

    -AC

    Thursday, November 09, 2017 9:21 PM
  • Hi,

    As a temporary workaround, I suggest you try to use the script within this link below to configure RemoteApp and Desktop Connection on problematic Windows 10 systems.

    Configure RemoteApp and Desktop Connection on Windows 7 Clients

    https://gallery.technet.microsoft.com/scriptcenter/313a95b3-a698-4bb0-9ed6-d89a47eacc72

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 10, 2017 10:23 AM
    Moderator
  • Hi,

    Currently under 1703 RemoteApp and Desktop Connections (RADC) doesn't work properly.  Hopefully there will be a windows update released soon that fixes the issue.  You can try the script Amy mentioned as workaround, however, please note this will not restore full RADC functionality that you would have if not for the bug.

    -TP

    Friday, November 10, 2017 1:12 PM
    Moderator
  • Hi,

    I'm not sure if, under Windows 2016 Server, is possible to generate the .wcx file needed to try the workaround.

    I found a sample and I adapted it in this way:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <workspace name="Work Resources" xmlns="http://schemas.microsoft.com/ts/2008/09/tswcx" xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <defaultfeed url="http://rds.[omissis].biz/RDWeb/feed/webfeed.aspx"/>
    </workspace>


    Unfortunately, double clicking the file returns an error "Client configuration file not valid: cannot continue".

    Running rundll32.exe 'tsworkspace,WorkspaceSilentSetup' .....\workspace.wcx do nothing.

    - AC

    Friday, November 10, 2017 9:47 PM
  • Hi,

    That sample wcx file you have is incorrect.  Please use below sample:

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <workspace name="Work Resources" xmlns="http://schemas.microsoft.com/ts/2008/09/tswcx" xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <defaultFeed url="https://rdweb.domain.com/RDWeb/Feed/webfeed.aspx" />
    </workspace>

    Thanks.

    -TP

    Friday, November 10, 2017 10:54 PM
    Moderator
  • Hi,

    Ok, now with your sample, double clicking open a dialog to connect to Remote App Workspace. But clicking next still ask me for credentials. Nothing is done automatically.

    If I launch

    rundll32.exe tsworkspace,WorkspaceSilentSetup C:\workspace.wcx

    (the "active ingredient" of the Amy's script) nothing happens.

    My opinion is that Credential Request when accessing the web feed is the problem to solve. Nothing can be installed automatically in the Start Menu from the web feed if the web feed is not accessible without the need for the user to type credentials.

    What do you think?

    -AC

    Friday, November 10, 2017 11:52 PM
  • Hi,

    Yes, I agree.  It is normal to be prompted for credentials if you double-click on the file or manually set up the feed.  When running the silent setup it will automatically log on to the site if Internet settings permit it.

    The server needs to be in a zone that allows automatic logons, such as Local intranet or Trusted sites for the script to work.

    -TP

    Saturday, November 11, 2017 4:23 AM
    Moderator
  • Hi,

    A small step forward.

    I added "*.lan.mydomain.biz" to the list of Local Internet Sites in Internet Explorer and checked that Local Internet Zone in Internet Explorer allow for automatic logon.

    Indeed, when I point Internet Explorer to the address http or https[omissis]webfeed.aspx, I'm not more asked for credentials, but I'm prompted to download a file WebFeed.aspx, which contains some hexstrings encoded data.

    But...

    When I run rundll32.exe ... still nothing is setup in my Start Menu.

    The program rundll32.exe returns immediatley. I don't really think it can even try to connect to the RDWA and download anything (Fiddler seems to confirm).

    When I double click wcx, and I enter user credentials, an error occurs ("Please contact the admin").

    In the event viewer, RemoteApp and Desktop Connections, Error Event ID 1000 si generated, Attached Error Code is 2147500037.

    -AC


    Saturday, November 11, 2017 9:20 AM
  • Hi,

    I think I got a result. To summarize:

    • Windows 10 Pro v1709 seems mandatory for RemoteApp publishing through WebFeed works properly; it's very disappointing that an update is not available for previous versions of Windows 10 considering the fact WebFeed publishing is the official way of publishing RemoteApp;
    • in my case the update to v1709 wasn't enough; but at least some error message appeared at the event log; after reinstalling the RDWA role, things gone better;
    • despite what written above, the membership of RDWA server to Local Intranet Zone of Internet Explorer seems not necessary for SSO;
    • but it's mandatory to add "TERMSRV/*.lan.mydomain.com" to SPN list allowed for default credential passing through CredSSP;
    • it's also advisable to add the thumbprint of the certificate used to sign .rdp files to the proper policy.

    Monday, November 13, 2017 9:48 AM